This new version of the Petya ransomware is spreading rapidly, affecting organizations, businesses, and end users, turning into an outbreak reminiscent of the one caused by WannaCry. It has already impacted many organizations, both large and small.
The attackers are distributing the ransomware, dubbed Petya, via a malicious email campaign targeting human resource departments.
Once Petya compromises a system, the malware overwrites the Master Boot Record with a custom boot loader. Once the Master Boot Record has been altered, Petya causes Windows to crash and reboot. During the reboot the new malicious ransomware loader will display a screen pretending to be CHKDSK. During this fake CHKDSK stage, Petya encrypts the Master File Table on the drive. Once the Master File Table is encrypted, the computer does not know where files are located, or if they even exist, and thus they are not accessible
With the Master File Table encrypted, the ransomware presents a ransom message to the user, instructing them to visit a site via the Tor browser where they are instructed to pay the ransom.
Do not pay the Ransom! The email provider has closed the account of the hacker behind the Petya Ransomware outbreak. You will not be able to receive the decryption keys.
The prevention tips and recommendations below will help protect from Petya and similar Ransomware attacks.
- The malware requires administrator rights to the local computer. Consider restricting who has local admin rights to prevent execution of exploit code within the organization
- Some Windows systems are configured to automatically reboot if it crashes. This feature can be disabled.
- Deploy latest Microsoft patches
- Consider disabling SMBv1 to prevent the malware from spreading
- Ensure your antivirus solution is up to date
- Ensure you have backup copies of your files.
- Restrict the use of system administration tools such as PowerShell and PsExec.
Beringer Technology Group is always here to provide expert knowledge in topics like these. Contact us today for any questions you may have.